Approach to a Bayesian decision model for cost-benefit analysis in security risk

Security risk analysis and management for infrastructures is a challenging task as the uncertainties regarding both, the capabilities of security systems and various threat scenarios are high. Especially cost-benefit analysis regarding the investment in physical security systems to reduce the overall vulnerability of infrastructures is a complex problem. This paper presents an approach that is based on a quantitative model for vulnerability analysis previously introduced by the authors. Based on the model a Bayesian Decision Network (DN) is derived. The result of the DN is a Return on Security Investment (ROSI) based on the principle of the weakest path. The ROSI can be used to find the best outcome resulting from different configurations considering mitigation of security risks and required investments in security measures. In a last step the application of the developed approach to a simplified infrastructure is presented. Finally, the results are summarized and discussed.